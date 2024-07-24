Managing open source risk with SCA

Tracking open source usage to manage such risks has always been fundamentally challenging. Any developer with a browser has access to literally millions of open source components, and the ability to download and paste them into their own code. Companies can and should have policies and processes to guide developers in their open source use, as well as programs to educate them about the tools that can detect and identify the open source in a codebase—including snippets, which can be particularly tricky to detect if you’re not using the right tool.

The tools that dissect code are known as software composition analysis (SCA), and there are a number on the market. Most address security and assume disciplined use of package managers, which allow developers to pull complete open source components (or libraries) into their code. Essentially, a developer specifies “go get X” in a build file, and the package manager gets X. SCA tools interpret that instruction and conclude that component X is in the code.

That simple approach works reasonably well for security vulnerabilities because most vulnerabilities are part of the overall function of the component and not likely to manifest in a 100-line snippet of code. But in order to gain full visibility into licensing issues, you need to detect snippets. The other limitation of this approach is that it requires that open source is only incorporated via package managers. In reality though, open source ends up in software via multiple paths. So this is a good 80% solution for modern application development, but gaining a comprehensive picture requires additional techniques.

Identifying snippets requires sophisticated algorithms and a comprehensive knowledgebase of the millions of open source components in order to efficiently see if any parts of a codebase match open source code. A tool needs to have been architected specifically to include that capability (to augment other techniques like the package manager approach), and there are few on the market that meet this requirement.